Hipsters and data

June 14, 2015

A while back I spent some time playing with the “modern” database implementations, more affectionately known as hipster tech. These are mostly your so-called NoSQL, big-data, ect databases. Trying to interact with these databases required numerous scripts to be written, one for each database implementation. After chatting to @PaulWebSec I decided to merge these into a single tool. Thus HippyDB Tool was born.

The following databases are supported:

Aerospike

Cassandra

Hbase

Hive

Memcached

Mongodb

Redis

Riak

A quick scan of AWS and Google Cloud hosting showed that the vast majority of these databases are deployed on default ports, listening on all interfaces and most critically, without any authentication. Furthermore, Shodan reports around ~59k MongoDB instances on the default port of 27017 and again, all the data is available for all to view.

Having a tool to easily interact with these deployments hightlights just how much data is available and what damage this could cause. Numerous instances of user creds, personal information and even credit-card numbers can be found.

The tool is written in NodeJS as it just felt write to write in a “hipster” language..
To use HippyDB, simply fork the Github project, install the requirements and you should be good to go.

Interaction is pretty straight forward, with a menu driven interface. help will give you all the available commands and the tool even includes tab-completion! A sample session against a Riak instances may look as follows: